Bug#463589: marked as done (phpbb2: CVE-2008-0471 XSRF vulnerability exploitable via crafted private message)
Your message dated Thu, 28 Feb 2008 07:52:15 + with message-id [EMAIL PROTECTED] and subject line Bug#463589: fixed in phpbb2 2.0.13+1-6sarge4 has caused the Debian Bug report #463589, regarding phpbb2: CVE-2008-0471 XSRF vulnerability exploitable via crafted private message to be marked as done. This means that you claim that the problem has been dealt with. If this is not the case it is now your responsibility to reopen the Bug report if necessary, and/or fix the problem forthwith. (NB: If you are a system administrator and have no idea what this message is talking about, this may indicate a serious mail system misconfiguration somewhere. Please contact [EMAIL PROTECTED] immediately.) -- 463589: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=463589 Debian Bug Tracking System Contact [EMAIL PROTECTED] with problems ---BeginMessage--- Source: phpbb2 Severity: grave Tags: security Hi, the following CVE (Common Vulnerabilities Exposures) id was published for phpbb2. CVE-2008-0471[0]: | Cross-site request forgery (CSRF) vulnerability in privmsg.php in | phpBB 2.0.22 allows remote attackers to delete private messages (PM) | as arbitrary users via a deleteall action. I tested this sucessfully in a local phpbb2 installation as well as on phpbb.de using two test accounts. If you fix this vulnerability please also include the CVE id in your changelog entry. For further information: [0] http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-0471 Kind regards Nico -- Nico Golde - http://www.ngolde.de - [EMAIL PROTECTED] - GPG: 0x73647CFF For security reasons, all text in this mail is double-rot13 encrypted. pgp2BMFhdHwzG.pgp Description: PGP signature ---End Message--- ---BeginMessage--- Source: phpbb2 Source-Version: 2.0.13+1-6sarge4 We believe that the bug you reported is fixed in the latest version of phpbb2, which is due to be installed in the Debian FTP archive: phpbb2-conf-mysql_2.0.13-6sarge4_all.deb to pool/main/p/phpbb2/phpbb2-conf-mysql_2.0.13-6sarge4_all.deb phpbb2-languages_2.0.13-6sarge4_all.deb to pool/main/p/phpbb2/phpbb2-languages_2.0.13-6sarge4_all.deb phpbb2_2.0.13+1-6sarge4.diff.gz to pool/main/p/phpbb2/phpbb2_2.0.13+1-6sarge4.diff.gz phpbb2_2.0.13+1-6sarge4.dsc to pool/main/p/phpbb2/phpbb2_2.0.13+1-6sarge4.dsc phpbb2_2.0.13-6sarge4_all.deb to pool/main/p/phpbb2/phpbb2_2.0.13-6sarge4_all.deb A summary of the changes between this version and the previous one is attached. Thank you for reporting the bug, which will now be closed. If you have further comments please address them to [EMAIL PROTECTED], and the maintainer will reopen the bug report if appropriate. Debian distribution maintenance software pp. Thijs Kinkhorst [EMAIL PROTECTED] (supplier of updated phpbb2 package) (This message was generated automatically at their request; if you believe that there is a problem with it please contact the archive administrators by mailing [EMAIL PROTECTED]) -BEGIN PGP SIGNED MESSAGE- Hash: SHA1 Format: 1.7 Date: Sat, 9 Feb 2008 01:16:49 +0100 Source: phpbb2 Binary: phpbb2-languages phpbb2-conf-mysql phpbb2 Architecture: source all Version: 2.0.13+1-6sarge4 Distribution: oldstable-security Urgency: high Maintainer: Jeroen van Wolffelaar [EMAIL PROTECTED] Changed-By: Thijs Kinkhorst [EMAIL PROTECTED] Description: phpbb2 - A fully featured and skinneable flat (non-threaded) webforum phpbb2-conf-mysql - Automatic configurator for phpbb2 on MySQL database phpbb2-languages - phpBB2 additional languages Closes: 388120 405980 463589 Changes: phpbb2 (2.0.13+1-6sarge4) oldstable-security; urgency=high . * Upload to sarge to address security issues. * CVE-2006-4758: authenticated admin may upload arbitrary files (very minor issue, closes: 388120). * CVE-2006-6839: update criteria for redirection targets. * CVE-2006-6840: fix negative start parameter. * CVE-2006-6508/CVE-2006-6841: fix csrf (closes: 405980). * CVE-2008-0471: fix csrf (closes: 463589). Files: d5ca94a7a4c2b3468428a993a1dbc5cc 1011 web optional phpbb2_2.0.13+1-6sarge4.dsc c403597d08f4c5af0f62b84c5ee72a7e 67912 web optional phpbb2_2.0.13+1-6sarge4.diff.gz 944e55e056fc34d970e95b78201589fe 526154 web optional phpbb2_2.0.13-6sarge4_all.deb f0df2114bd60d9b84fbda1d241294fdd 37766 web extra phpbb2-conf-mysql_2.0.13-6sarge4_all.deb f10c4962035ede6e02417b8098efeda0 2868920 web optional phpbb2-languages_2.0.13-6sarge4_all.deb -BEGIN PGP SIGNATURE- Version: GnuPG v1.4.6 (GNU/Linux) iQEVAwUBR6zz/mz0hbPcukPfAQID8wgAkC1l66pYum5qTcJHfUszTCEWb6CIwrV0 a+mHcUFpa0grCwkWQEd1x4t7CH7rAIoRW7N19/v6avBkIKQiAC1MvjTR7qUc1/g0 R6Aus7ZDe2PKd2PShVoLT2A6EYJSkpieyoEnVbllumQpfgKD/VP5DvX6QOYoN3xh uD4KlhkCq1uMOr3FCvY3xTf/V2F1vnEkJssn79//iP3qRCsrAzaAxM1MO2BzLkLB ZLmUhFx7/UeUeGdhwXAS0gbRb09oPO1c1yKXIB/y2hqO2UXuQLtxOlajrQES+f8W TQGWjzuXFgrW1PafmOvT24N0QDhCI+KWu8jRY122WdrDLLo9OUInYA== =vhx+ -END PGP SIGNATURE- ---End Message---
Bug#463589: marked as done (phpbb2: CVE-2008-0471 XSRF vulnerability exploitable via crafted private message)
Your message dated Sat, 16 Feb 2008 12:17:25 + with message-id [EMAIL PROTECTED] and subject line Bug#463589: fixed in phpbb2 2.0.21-7 has caused the Debian Bug report #463589, regarding phpbb2: CVE-2008-0471 XSRF vulnerability exploitable via crafted private message to be marked as done. This means that you claim that the problem has been dealt with. If this is not the case it is now your responsibility to reopen the Bug report if necessary, and/or fix the problem forthwith. (NB: If you are a system administrator and have no idea what this message is talking about, this may indicate a serious mail system misconfiguration somewhere. Please contact [EMAIL PROTECTED] immediately.) -- 463589: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=463589 Debian Bug Tracking System Contact [EMAIL PROTECTED] with problems ---BeginMessage--- Source: phpbb2 Severity: grave Tags: security Hi, the following CVE (Common Vulnerabilities Exposures) id was published for phpbb2. CVE-2008-0471[0]: | Cross-site request forgery (CSRF) vulnerability in privmsg.php in | phpBB 2.0.22 allows remote attackers to delete private messages (PM) | as arbitrary users via a deleteall action. I tested this sucessfully in a local phpbb2 installation as well as on phpbb.de using two test accounts. If you fix this vulnerability please also include the CVE id in your changelog entry. For further information: [0] http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-0471 Kind regards Nico -- Nico Golde - http://www.ngolde.de - [EMAIL PROTECTED] - GPG: 0x73647CFF For security reasons, all text in this mail is double-rot13 encrypted. pgpiAmLWmIAD1.pgp Description: PGP signature ---End Message--- ---BeginMessage--- Source: phpbb2 Source-Version: 2.0.21-7 We believe that the bug you reported is fixed in the latest version of phpbb2, which is due to be installed in the Debian FTP archive: phpbb2-conf-mysql_2.0.21-7_all.deb to pool/main/p/phpbb2/phpbb2-conf-mysql_2.0.21-7_all.deb phpbb2-languages_2.0.21-7_all.deb to pool/main/p/phpbb2/phpbb2-languages_2.0.21-7_all.deb phpbb2_2.0.21-7.diff.gz to pool/main/p/phpbb2/phpbb2_2.0.21-7.diff.gz phpbb2_2.0.21-7.dsc to pool/main/p/phpbb2/phpbb2_2.0.21-7.dsc phpbb2_2.0.21-7_all.deb to pool/main/p/phpbb2/phpbb2_2.0.21-7_all.deb A summary of the changes between this version and the previous one is attached. Thank you for reporting the bug, which will now be closed. If you have further comments please address them to [EMAIL PROTECTED], and the maintainer will reopen the bug report if appropriate. Debian distribution maintenance software pp. Thijs Kinkhorst [EMAIL PROTECTED] (supplier of updated phpbb2 package) (This message was generated automatically at their request; if you believe that there is a problem with it please contact the archive administrators by mailing [EMAIL PROTECTED]) -BEGIN PGP SIGNED MESSAGE- Hash: SHA1 Format: 1.7 Date: Sat, 9 Feb 2008 00:27:23 +0100 Source: phpbb2 Binary: phpbb2-languages phpbb2-conf-mysql phpbb2 Architecture: source all Version: 2.0.21-7 Distribution: stable-security Urgency: high Maintainer: Jeroen van Wolffelaar [EMAIL PROTECTED] Changed-By: Thijs Kinkhorst [EMAIL PROTECTED] Description: phpbb2 - A fully featured and skinnable flat (non-threaded) webforum phpbb2-conf-mysql - Automatic configurator for phpbb2 on MySQL database phpbb2-languages - phpBB2 additional languages Closes: 463589 Changes: phpbb2 (2.0.21-7) stable-security; urgency=high . * Upload to stable to fix cross site request forgery in private messaging (CVE-2008-0471, closes: #463589). Files: 88ad3a4f2ee714cce779873b53ebd323 1051 web optional phpbb2_2.0.21-7.dsc 30383a9bf6c5d21736e4bdf9ec7852d5 3203456 web optional phpbb2_2.0.21.orig.tar.gz 896f80500e90867741c516e57fc8bfcc 90580 web optional phpbb2_2.0.21-7.diff.gz e8825ef3431bfe7ccf72f9f59f13a119 554842 web optional phpbb2_2.0.21-7_all.deb 49baf96bcc1c273a93e8bb5169dca722 53706 web extra phpbb2-conf-mysql_2.0.21-7_all.deb afd8a0fe8138c8a5cf00a3e4ac10ac59 2791410 web optional phpbb2-languages_2.0.21-7_all.deb -BEGIN PGP SIGNATURE- Version: GnuPG v1.4.6 (GNU/Linux) iQEVAwUBR6z0YGz0hbPcukPfAQK92gf/Yp71BGmPqZdqrNlRdcLUIcWM2u1Tz/am zttJsmSCHolwbW8OCtXHVfm2jZpNGwnn2WV6iiYhrXVP61FGbciqHiqL88sqw3aT 6jcUlC3POIIH5P9gwS8MyO5+fxn+6P8sneVhAJSZWR/2xq9LlorOMdpEBfI0o82I 6CESjBDX9+9EFckCZVW8dqqVk7H32jwDyFFpZbgqDbhmkax/mBDa+IJRanj7SSdf CkHN7oxTgWFzJCC0CdsqAFVN5VKyH6CYEybuz0nUaOjUB0CfpI5XRGu5KVjuHhDq ZRd/cE9R8QdW2ooY+Ee2GbEWCxv1WsGuQJm1zgJywlXC8AtYhtB4mQ== =TJeW -END PGP SIGNATURE- ---End Message---
Bug#463589: marked as done (phpbb2: CVE-2008-0471 XSRF vulnerability exploitable via crafted private message)
Your message dated Fri, 15 Feb 2008 19:52:37 + with message-id [EMAIL PROTECTED] and subject line Bug#463589: fixed in phpbb2 2.0.21-7 has caused the Debian Bug report #463589, regarding phpbb2: CVE-2008-0471 XSRF vulnerability exploitable via crafted private message to be marked as done. This means that you claim that the problem has been dealt with. If this is not the case it is now your responsibility to reopen the Bug report if necessary, and/or fix the problem forthwith. (NB: If you are a system administrator and have no idea what this message is talking about, this may indicate a serious mail system misconfiguration somewhere. Please contact [EMAIL PROTECTED] immediately.) -- 463589: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=463589 Debian Bug Tracking System Contact [EMAIL PROTECTED] with problems ---BeginMessage--- Source: phpbb2 Severity: grave Tags: security Hi, the following CVE (Common Vulnerabilities Exposures) id was published for phpbb2. CVE-2008-0471[0]: | Cross-site request forgery (CSRF) vulnerability in privmsg.php in | phpBB 2.0.22 allows remote attackers to delete private messages (PM) | as arbitrary users via a deleteall action. I tested this sucessfully in a local phpbb2 installation as well as on phpbb.de using two test accounts. If you fix this vulnerability please also include the CVE id in your changelog entry. For further information: [0] http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-0471 Kind regards Nico -- Nico Golde - http://www.ngolde.de - [EMAIL PROTECTED] - GPG: 0x73647CFF For security reasons, all text in this mail is double-rot13 encrypted. pgpyjn2KHU0fW.pgp Description: PGP signature ---End Message--- ---BeginMessage--- Source: phpbb2 Source-Version: 2.0.21-7 We believe that the bug you reported is fixed in the latest version of phpbb2, which is due to be installed in the Debian FTP archive: phpbb2-conf-mysql_2.0.21-7_all.deb to pool/main/p/phpbb2/phpbb2-conf-mysql_2.0.21-7_all.deb phpbb2-languages_2.0.21-7_all.deb to pool/main/p/phpbb2/phpbb2-languages_2.0.21-7_all.deb phpbb2_2.0.21-7.diff.gz to pool/main/p/phpbb2/phpbb2_2.0.21-7.diff.gz phpbb2_2.0.21-7.dsc to pool/main/p/phpbb2/phpbb2_2.0.21-7.dsc phpbb2_2.0.21-7_all.deb to pool/main/p/phpbb2/phpbb2_2.0.21-7_all.deb A summary of the changes between this version and the previous one is attached. Thank you for reporting the bug, which will now be closed. If you have further comments please address them to [EMAIL PROTECTED], and the maintainer will reopen the bug report if appropriate. Debian distribution maintenance software pp. Thijs Kinkhorst [EMAIL PROTECTED] (supplier of updated phpbb2 package) (This message was generated automatically at their request; if you believe that there is a problem with it please contact the archive administrators by mailing [EMAIL PROTECTED]) -BEGIN PGP SIGNED MESSAGE- Hash: SHA1 Format: 1.7 Date: Sat, 9 Feb 2008 00:27:23 +0100 Source: phpbb2 Binary: phpbb2-languages phpbb2-conf-mysql phpbb2 Architecture: source all Version: 2.0.21-7 Distribution: stable-security Urgency: high Maintainer: Jeroen van Wolffelaar [EMAIL PROTECTED] Changed-By: Thijs Kinkhorst [EMAIL PROTECTED] Description: phpbb2 - A fully featured and skinnable flat (non-threaded) webforum phpbb2-conf-mysql - Automatic configurator for phpbb2 on MySQL database phpbb2-languages - phpBB2 additional languages Closes: 463589 Changes: phpbb2 (2.0.21-7) stable-security; urgency=high . * Upload to stable to fix cross site request forgery in private messaging (CVE-2008-0471, closes: #463589). Files: 88ad3a4f2ee714cce779873b53ebd323 1051 web optional phpbb2_2.0.21-7.dsc 30383a9bf6c5d21736e4bdf9ec7852d5 3203456 web optional phpbb2_2.0.21.orig.tar.gz 896f80500e90867741c516e57fc8bfcc 90580 web optional phpbb2_2.0.21-7.diff.gz e8825ef3431bfe7ccf72f9f59f13a119 554842 web optional phpbb2_2.0.21-7_all.deb 49baf96bcc1c273a93e8bb5169dca722 53706 web extra phpbb2-conf-mysql_2.0.21-7_all.deb afd8a0fe8138c8a5cf00a3e4ac10ac59 2791410 web optional phpbb2-languages_2.0.21-7_all.deb -BEGIN PGP SIGNATURE- Version: GnuPG v1.4.6 (GNU/Linux) iQEVAwUBR6z0YGz0hbPcukPfAQK92gf/Yp71BGmPqZdqrNlRdcLUIcWM2u1Tz/am zttJsmSCHolwbW8OCtXHVfm2jZpNGwnn2WV6iiYhrXVP61FGbciqHiqL88sqw3aT 6jcUlC3POIIH5P9gwS8MyO5+fxn+6P8sneVhAJSZWR/2xq9LlorOMdpEBfI0o82I 6CESjBDX9+9EFckCZVW8dqqVk7H32jwDyFFpZbgqDbhmkax/mBDa+IJRanj7SSdf CkHN7oxTgWFzJCC0CdsqAFVN5VKyH6CYEybuz0nUaOjUB0CfpI5XRGu5KVjuHhDq ZRd/cE9R8QdW2ooY+Ee2GbEWCxv1WsGuQJm1zgJywlXC8AtYhtB4mQ== =TJeW -END PGP SIGNATURE- ---End Message---
Bug#463589: marked as done (phpbb2: CVE-2008-0471 XSRF vulnerability exploitable via crafted private message)
Your message dated Fri, 08 Feb 2008 21:47:08 + with message-id [EMAIL PROTECTED] and subject line Bug#463589: fixed in phpbb2 2.0.22-3 has caused the attached Bug report to be marked as done. This means that you claim that the problem has been dealt with. If this is not the case it is now your responsibility to reopen the Bug report if necessary, and/or fix the problem forthwith. (NB: If you are a system administrator and have no idea what I am talking about this indicates a serious mail system misconfiguration somewhere. Please contact me immediately.) Debian bug tracking system administrator (administrator, Debian Bugs database) ---BeginMessage--- Source: phpbb2 Severity: grave Tags: security Hi, the following CVE (Common Vulnerabilities Exposures) id was published for phpbb2. CVE-2008-0471[0]: | Cross-site request forgery (CSRF) vulnerability in privmsg.php in | phpBB 2.0.22 allows remote attackers to delete private messages (PM) | as arbitrary users via a deleteall action. I tested this sucessfully in a local phpbb2 installation as well as on phpbb.de using two test accounts. If you fix this vulnerability please also include the CVE id in your changelog entry. For further information: [0] http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-0471 Kind regards Nico -- Nico Golde - http://www.ngolde.de - [EMAIL PROTECTED] - GPG: 0x73647CFF For security reasons, all text in this mail is double-rot13 encrypted. pgpTZqOL9wVyp.pgp Description: PGP signature ---End Message--- ---BeginMessage--- Source: phpbb2 Source-Version: 2.0.22-3 We believe that the bug you reported is fixed in the latest version of phpbb2, which is due to be installed in the Debian FTP archive: phpbb2-conf-mysql_2.0.22-3_all.deb to pool/main/p/phpbb2/phpbb2-conf-mysql_2.0.22-3_all.deb phpbb2-languages_2.0.22-3_all.deb to pool/main/p/phpbb2/phpbb2-languages_2.0.22-3_all.deb phpbb2_2.0.22-3.diff.gz to pool/main/p/phpbb2/phpbb2_2.0.22-3.diff.gz phpbb2_2.0.22-3.dsc to pool/main/p/phpbb2/phpbb2_2.0.22-3.dsc phpbb2_2.0.22-3_all.deb to pool/main/p/phpbb2/phpbb2_2.0.22-3_all.deb A summary of the changes between this version and the previous one is attached. Thank you for reporting the bug, which will now be closed. If you have further comments please address them to [EMAIL PROTECTED], and the maintainer will reopen the bug report if appropriate. Debian distribution maintenance software pp. Thijs Kinkhorst [EMAIL PROTECTED] (supplier of updated phpbb2 package) (This message was generated automatically at their request; if you believe that there is a problem with it please contact the archive administrators by mailing [EMAIL PROTECTED]) -BEGIN PGP SIGNED MESSAGE- Hash: SHA1 Format: 1.7 Date: Fri, 08 Feb 2008 21:59:08 +0100 Source: phpbb2 Binary: phpbb2 phpbb2-conf-mysql phpbb2-languages Architecture: source all Version: 2.0.22-3 Distribution: unstable Urgency: high Maintainer: Jeroen van Wolffelaar [EMAIL PROTECTED] Changed-By: Thijs Kinkhorst [EMAIL PROTECTED] Description: phpbb2 - A fully featured and skinnable flat (non-threaded) webforum phpbb2-conf-mysql - Automatic configurator for phpbb2 on MySQL database phpbb2-languages - phpBB2 additional languages Closes: 346349 441752 450252 463589 Changes: phpbb2 (2.0.22-3) unstable; urgency=high . * Fix Cross Site Request Forgery in private messages (CVE-2008-0471, closes: #463589). High urgency. * Added Slovak debconf translation by Ivan Masár (Closes: #441752). * Fix watch file (Closes: #450252). * Fix name of nodbpurge template in postrm (Closes: #346349), thanks Cameron Dale. * Checked for policy 3.7.3, no changes. Files: e34824a43856e9f5ce71db987fc9d940 1142 web optional phpbb2_2.0.22-3.dsc 6335268155f608a63d698bc96bbecece 91949 web optional phpbb2_2.0.22-3.diff.gz d6e5f12f5455ba61045000a758165755 553996 web optional phpbb2_2.0.22-3_all.deb b82d42727fd9f8561eb3a79efbf95de1 57192 web extra phpbb2-conf-mysql_2.0.22-3_all.deb 5ef74d61e4f9de1386474b821e18e0a9 2767590 web optional phpbb2-languages_2.0.22-3_all.deb -BEGIN PGP SIGNATURE- Version: GnuPG v1.4.6 (GNU/Linux) iQEVAwUBR6zIcWz0hbPcukPfAQKnVAgAkUDg4m54qTFY2DvVwhc/1ac6SmhwTlqu RpL21kPRONCc5u1ESEnvD6SPqvmkdGJ5w86P7PPcmZzKQHdrY2oUgVwAd89ViqNX TeKxkIupxqt3xeH+kVtwkuxFwzJQlgd8UmSNF15Xdbx77PZBA9VQCoEhMwn3qkUO 8Vcoj4kmQodmwzSU0IqwrjSXlKYYQ7tw9qOSsTDC0IuMRogZkZx+TqF2XEvoGm/Q wQQpbjIduVXaHo/9qXBCFdOInPW46wLaiYH2WUJmZwR2sGLFjoE7BYCGluoSN2HO 3WtxFcAGnn0zCuu1db65L5290KGQjPlWlzRJtmO5lxxYRrJuIzU8qA== =m7uQ -END PGP SIGNATURE- ---End Message---